When Run frontend and backend in diff domain it not working

[AsrarMemon]

var express = require('express');
var cookieParser = require('cookie-parser');
var session = require('express-session');
var cors = require('cors')

var app = express();

app.use(cors())

app.use(cookieParser());
app.use(session({
  secret: "thisismys",
  saveUninitialized: true,
  cookie: {         
    domain: 'localhost:4000', 
    sameSite: 'none',
    secure: false,
   maxAge: days 
  },
  resave: true
}));

app.get('/', function(req, res){
   if(req.session.page_views){
      req.session.page_views++;
      res.send("You visited this page " + req.session.page_views + " times");
   } else {
      req.session.page_views = 1;
      res.send("Welcome to this page for the first time!");
   }
});
app.listen(4022)

When I run Frontend and backend on localhost it working
But When I put this backend code on server and try to call from frontend it is always retune first time
I have already tried with credentials, sameSite all options
but nothing work for me

Your help would be great for me, Already opened issue on slack as well not reply received

[jrjake]

domain: 'localhost:4000',

You need to change this to your domain. Otherwise, the cookie will not be set and naturally it will seem like no session was created.

[Sheshant-Manure]

Hey @AsrarMemon!
I am facing the same challenge. Setting up the cookie in the browser in the deployed environment is not as simple as we think it is. Especially when the client and server are deployed at different origins. I tried various possible configurations of cors middleware and express-session middleware. For instance,

app.use(cors({
  origin: `${ process.env.CLIENT_URL }`, 
  credentials: true,
}));

app.use(session({
  name: 'GitHubConnect.sid',
  secret: process.env.SESSION_SECRET,
  resave: false,
  saveUninitialized: false,
  cookie: {
    domain: process.env.COOKIE_DOMAIN,
    maxAge: 1000 * 60 * 60 * 24,
    secure: true,
    httpOnly: true,
  }
}));

app.use((req, res, next) => {
  res.setHeader("Access-Control-Allow-Origin", process.env.CLIENT_URL);
  next();
})

But, I came to an understanding that this works only for projects that are deployed at a single origin. Apparently, we cannot set cookies in cross-origin deployed projects. Hence, I recommend you to choose other methods such as token-based authentication - JWT.